Kubernetes internal only ingress

9/19/2019

I'm trying Kubernetes in a Azure environment (AKS).

I have an nginx ingress deployed and exposed to internet through a public ip and an azure load balancer. It is used to expose public/front services.

My issue is I would like to deploy 'back' services, not exposed to internet. My first guess would be to deploy a second ingress and expose it on the internal load balancer, am I right ?

But what if my front services needs to consume the back services, can I consume it over the second ingress (to use nginx configuration, ssl offload, etc) but not do a round trip to the internal load balancer. What will be the DNS configuration in that case?

-- luke77
azure
azure-aks
dns
kubernetes
kubernetes-ingress

2 Answers

9/21/2019

You do not need to deploy a secondary ingress service. All you need to do is make your service endpoint [IP] private and they should be able to talk to your ingress service only.

So how you create a private IP: https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip

-- Nithin Prasad
Source: StackOverflow

9/21/2019

Ingress controllers are made for external traffic. For in-cluster communication it is best to use Kubernetes Services which will configure the DNS inside the cluster. With a Service you'll be able to call your backend service without doing a roundtrip to an external resource, the load balancing will be done natively inside the k8s cluster. Nothing prevent you from deploying an nginx pod or inject it as a sidecar in your backend service pod and use it as a reverse proxy, but do you really the nginx configuration and mutual TLS for in-cluster communication? If you really need mutual TLS, you better look at something like Istio, but it is probably overkill for your use case.

-- Jean-Philippe Bond
Source: StackOverflow